Section 7 – Implement an Authentication and Access Management Solution – Plan and implement Azure MFA

Time for section 7 in my SC-300 study guide. The topics for today are:

  • plan Azure MFA deployment (excluding MFA Server)
  • implement and manage Azure MFA settings
  • manage MFA settings for users

What is Multi-factor Authentication?

Azure AD Multi-Factor Authentication (MFA) supplies added security for your identities by requiring two or more elements for full authentication.

These elements fall into three categories:

  • Something you know – which might be a password or the answer to a security question.
  • Something you possess – which might be a mobile app that receives a notification or a token-generating device.
  • Something you are – which typically is a biometric property, such as a fingerprint or face scan used on many mobile devices.
Conceptual art showing the pieces of MFA.


  • Azure Active Directory Premium or Microsoft 365 Business – Both of these offerings support Azure AD Multi-Factor Authentication using security defaults to require multi-factor authentication.
  • Azure AD Free or standalone Microsoft 365 licenses – Use security defaults that require multi-factor authentication for your users and administrators.
  • Azure Active Directory Global Administrators – A subset of Azure AD Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
FeatureAzure AD Free – Security defaults (enabled for all users)Azure AD Free – Global Administrators onlyOffice 365Azure AD Premium P1Azure AD Premium P2
Protect Azure AD tenant admin accounts with MFA● (Azure AD Global Administrator accounts only)
Mobile app as a second factor
Phone call as a second factor
SMS as a second factor
Admin control over verification methods
Fraud alert
MFA Reports
Custom greetings for phone calls
Custom caller ID for phone calls
Trusted IPs
Remember MFA for trusted devices
MFA for on-premises applications
Conditional access
Risk-based conditional access
Identity Protection (Risky sign-ins, risky users)
Access Reviews
Entitlements Management
Privileged Identity Management (PIM), just-in-time access
PolicySecurity defaultsConditional AccessPer-user MFA
Standard set of security rules to keep your company safe
One-click on/off
Included in Office 365 licensing (See license considerations)
Pre-configured templates in Microsoft 365 Admin Center wizard
Configuration flexibility
Exempt users from the policy
Authenticate by phone call or SMS
Authenticate by Microsoft Authenticator and Software tokens
Authenticate by FIDO2, Windows Hello for Business, and Hardware tokens
Blocks legacy authentication protocols
New employees are automatically protected
Dynamic MFA triggers based on risk events
Authentication and authorization policies
Configurable based on location and device state
Support for “report only” mode
Ability to completely block users/services

Plan MFA Deployment

There are many methods that can be used for a second-factor authentication. You can choose from the list of available authentication methods, evaluating each in terms of security, usability, and availability.

Plan user registration

A major step in every multifactor authentication deployment is getting users registered to use Azure AD Multi-Factor Authentication. Authentication methods such as Voice and SMS allow pre-registration, while others like the Authenticator App require user interaction. Administrators must determine how users will register their methods.

MFA – How to enable MFA per user?

MFA can be enabled per user. Just search MFA from Azure portal.

And then configure.

In here You can enable MFA based settings like allow App passwords (mostly You shouldn’t), trusted ips and verification options the MFA user can select. Also allow the MFA approval to be remembered for a period of time.

When You browse to Users section You will find the users.

You can see that all the users are currently in a Disabled state.

If You choose a user You can select Enable or Manage user settings.

If You choose Enable, You will be welcomed with the following.

And when You enable the MFA for a user.

And if You choose Manage user settings, you will be welcomed with the following.

When You Enable a user, You will see Enforce in the menu.

You will be shown the following warning.

So the users have to have an App password if they want to use a non-browser application. This isn’t really accurate as Outlook and Teams support MFA now but before it’s was a problem.

Microsoft has a nice article on App passwords.

Configure app passwords for Azure AD Multi-Factor Authentication – Azure Active DirectoryLearn how to configure and use app passwords for legacy applications in Azure AD Multi-Factor Authentication

You can also do a bulk update of users but You cannot select Enforced in here, only Enabled or Disabled.

End-user experience

End-user goes to and they will be greeted with MFA request.

If You chose available authentication methods in the beginning for MFA, example Notification through mobile app

They will be displayed this page instead of SMS verification.

Thing to remember

MFA is available in the following licensing options:

  • Azure AD Free – Security defaults (enabled for all users)
  • Azure AD Free – Global Administrators only
  • Any Office 365 license
  • Azure AD Premium P1
  • Azure AD Premium P2

Link to the main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *